Uridzu might be a new version of Globe Imposter 2.0

Uridzu is a ransomware-type cyber threat that seems to be related to Globe Imposter family. The virus is still under investigation, but researchers assume that it’s a variant of Globe Imposter 2.0, which mostly targeted computer users in China,[1] Egypt, and Hungary. It started encrypting files and appending .crypted_uridzu@aaathats3as_com extension in November 2017.

The file-encrypting virus is capable of encrypting computers and servers. The virus might use RDP attacks[2] to affect devices and spread through the network infecting other computers. Once inside, Uridzu ransomware makes critical system changes, disables computer’s security and starts data encryption.

Questions about Uridzu ransomware

Following data encryption, Uridzu virus delivers a ransom note called “how_to_back_files.html.” It opens a browser’s window which provides information about encrypted files. Here victims are asked to send an email to uridzu@aaathats3as_com and learn how they can get Uridzu decryptor:

Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible! To decrypt your files you need to buy the special software – “URIDZU DECRYPTOR” Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.If you want to restore files, write us to the e-mail: uridzu@aaathats3as.com In subject line write “encryption” and attach your personal ID in body of your message also attach to email 3 crypted files. (files have to be less than 10 MB)It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.Your personal ID[redacted]

Malware researchers warn that criminals will demand to pay a few hundreds of dollars in Bitcoins for a chance to restore files encrypted by Uridzu. However, following these instructions is a huge risk. Criminals may never give you a decryptor once they receive the payment.

The purpose of all ransomware-type cyber threats is to swindle the money from computer users, and data recovery is just the matter of their conscience. Instead of risking to lose your money and increase the damage, you should remove Uridzu from the computer immediately.

Major security programs can detect malware as Trojan-Ransom.Win32.Purgen or under similar names. Thus, you should choose a reliable anti-malware tool for Uridzu removal. If you are not sure which software to use, we recommend Reimage.

The ways how ransomware gets inside computers

Developers of ransomware usually stick to malicious spam emails as the main ransomware distribution method.[3] They include an obfuscated malware payload in the email and write an important reason to convince users into opening it. If a user believes in such trickery, malware gets inside the system and starts data encryption.

Thus, users are advised to be careful with received emails and do not rush opening attachments. Additionally, if you are not using RDP connections, you should disable to prevent the attack. However, if you need it, you have to set strong and hard to break a password.

Remove Uridzu virus from the computer using security software

The only correct way to remove Uridzu from the device is to scan the system with reputable malware removal software. We highly recommend using Reimage or MalwarebytesMalwarebytesCombo Cleaner to wipe out malware-related components entirely. But first, you should reboot the computer to Safe Mode with Networking (instructions are given below).

Keep in mind that Uridzu removal won’t restore your files. It only terminates malicious entries from the system, which is an extremely important task. Currently, you can restore your data just from backups. However, if you do not have them, you can try alternative tools. You can find our recovery suggestions at the end of the article. Though, you should not get high expectations to get back all of the lost data.

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Uridzu removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of Uridzu. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Uridzu removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Uridzu from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

The official Uridzu ransomware decryptor is not available yet. However, instead of buying software from cyber criminals, you should try alternative recovery methods to restore at least some of your files.

If your files are encrypted by Uridzu, you can use several methods to restore them: